Re: [PATCH] drm/radeon: r6xx/r7xx possible security issue, system ram access

From: Luca Tettamanti
Date: Mon Jan 18 2010 - 07:54:31 EST

Next message: Samuel Ortiz: "Re: linux-next: trivial tree build failure"
Previous message: Avi Kivity: "Re: [RFC] [PATCH 1/7] User Space Breakpoint Assistance Layer (UBP)"
In reply to: Jerome Glisse: "[PATCH] drm/radeon: r6xx/r7xx possible security issue, system ram access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jan 18, 2010 at 1:01 PM, Jerome Glisse <jglisse@xxxxxxxxxx> wrote:
> This patch workaround a possible security issue which can allow
> user to abuse drm on r6xx/r7xx hw to access any system ram memory.
[...]
> diff --git a/drivers/gpu/drm/radeon/r600_cs.c b/drivers/gpu/drm/radeon/r600_cs.c
> index 44060b9..edafc7b 100644
> --- a/drivers/gpu/drm/radeon/r600_cs.c
> +++ b/drivers/gpu/drm/radeon/r600_cs.c
> @@ -503,9 +531,61 @@ static int r600_packet3_check(struct radeon_cs_parser *p,
> Â Â Â Â Â Â Â Âfor (i = 0; i < pkt->count; i++) {
> Â Â Â Â Â Â Â Â Â Â Â Âreg = start_reg + (4 * i);
> Â Â Â Â Â Â Â Â Â Â Â Âswitch (reg) {
> + Â Â Â Â Â Â Â Â Â Â Â /* This register were added late, there is userspace
> + Â Â Â Â Â Â Â Â Â Â Â Â* which does provide relocation for those but set
> + Â Â Â Â Â Â Â Â Â Â Â Â* 0 offset. In order to avoid breaking old userspace
> + Â Â Â Â Â Â Â Â Â Â Â Â* we detect this and set address to point to last
> + Â Â Â Â Â Â Â Â Â Â Â Â* CB_COLOR0_BASE, note that if userspace doesn't set
> + Â Â Â Â Â Â Â Â Â Â Â Â* CB_COLOR0_BASE before this register we will report
> + Â Â Â Â Â Â Â Â Â Â Â Â* error. Old userspace always set CB_COLOR0_BASE
> + Â Â Â Â Â Â Â Â Â Â Â Â* before any of this.
> + Â Â Â Â Â Â Â Â Â Â Â Â*/
> + Â Â Â Â Â Â Â Â Â Â Â case R_0280E0_CB_COLOR0_FRAG:
> + Â Â Â Â Â Â Â Â Â Â Â case R_0280E4_CB_COLOR1_FRAG:
> + Â Â Â Â Â Â Â Â Â Â Â case R_0280E8_CB_COLOR2_FRAG:
> + Â Â Â Â Â Â Â Â Â Â Â case R_0280EC_CB_COLOR3_FRAG:
> + Â Â Â Â Â Â Â Â Â Â Â case R_0280F0_CB_COLOR4_FRAG:
> + Â Â Â Â Â Â Â Â Â Â Â case R_0280F4_CB_COLOR5_FRAG:
> + Â Â Â Â Â Â Â Â Â Â Â case R_0280F8_CB_COLOR6_FRAG:
> + Â Â Â Â Â Â Â Â Â Â Â case R_0280FC_CB_COLOR7_FRAG:
> + Â Â Â Â Â Â Â Â Â Â Â case R_0280C0_CB_COLOR0_TILE:
> + Â Â Â Â Â Â Â Â Â Â Â case R_0280C4_CB_COLOR1_TILE:
> + Â Â Â Â Â Â Â Â Â Â Â case R_0280C8_CB_COLOR2_TILE:
> + Â Â Â Â Â Â Â Â Â Â Â case R_0280CC_CB_COLOR3_TILE:
> + Â Â Â Â Â Â Â Â Â Â Â case R_0280D0_CB_COLOR4_TILE:
> + Â Â Â Â Â Â Â Â Â Â Â case R_0280D4_CB_COLOR5_TILE:
> + Â Â Â Â Â Â Â Â Â Â Â case R_0280D8_CB_COLOR6_TILE:
> + Â Â Â Â Â Â Â Â Â Â Â case R_0280DC_CB_COLOR7_TILE:
> + Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â if (!r600_cs_packet_next_is_pkt3_nop(p)) {
> + Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â if (!track->cb_color0_base_last) {
> + Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â dev_err(p->dev, "Broken old userspace ? no cb_color0_base supplied"
> + Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â "before trying to write 0x%08X\n", reg);

Cosmetic issue: a space is missing between "supplied" and "before".

Luca
èº{.nÇ+‰·Ÿ®‰†+%ŠËlzwm…ébëæìr¸›zX§»®w¥Š{ayºÊÚë,j¢f£¢·hš‹àz¹®w¥¢¸¢·¦j:+v‰¨ŠwèjØm¶Ÿÿ¾«‘êçzZ+ƒùšŽŠÝj"ú!¶iO•æ¬z·švØ^¶m§ÿðÃnÆàþY&—

Next message: Samuel Ortiz: "Re: linux-next: trivial tree build failure"
Previous message: Avi Kivity: "Re: [RFC] [PATCH 1/7] User Space Breakpoint Assistance Layer (UBP)"
In reply to: Jerome Glisse: "[PATCH] drm/radeon: r6xx/r7xx possible security issue, system ram access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]